As many of you are aware, Congress reached an agreement to fund the U.S. government for the remainder of fiscal year (FY) 2012 shortly before departing on its winter break. To no one's surprise, Federal Emergency Management Agency (FEMA) preparedness grants took a significant cut in the new budget (more than $660 million below the FY 2011 enacted amount), largely due to a lack of metrics for measuring the effectiveness of these programs. At the same time, Congress also eliminated individual allocations for state, urban area, transit and port security grants, and instead created a single pool of grant funds -- in the process directing FEMA to allocate these funds based on "threat, vulnerability, and consequence to assist high-risk urban areas, States, local and Tribal governments, and other homeland security partners in preventing, preparing for, protecting against, and responding to acts of terrorism."

In taking this stance, Congress has placed a stake in the ground relative to the need for quantifiable metrics to guide future federal investments in homeland security at the state and local level. SARMA agrees with this. In the current budget environment, we believe the United States cannot continue to allocate scarce security dollars without: 1) a better understanding of current risks (i.e., the scope of the problem); 2) accounting for existing capabilities to mitigate these risks; 3) identifying gaps in current capabilities; 4) developing an ability to analyze the effectiveness of alternative solutions for addressing these gaps; and 5) implementing quantifiable metrics for gauging the impact of the options chosen. The urgency of implementing a sound risk management construct is further heightened by pooling the grant dollars in FY 2012 and the directive to use broadly accepted risk calculations as the means for allocating funding across a diverse range of stakeholders. This is a positive development: without an understanding of the problem, who do you give the money to in a manner that is both meaningful and defensible?

As I have said before, the answer to this challenge should begin with consideration of the tools and resources already on hand for establishing a true risk management process. For example, existing and proven methodologies like the Maritime Security Risk Analysis Model (MSRAM), Terrorism Risk Assessment Methodology (TRAM) and FEMA's own HAZUS-MH tool should be examined to determine if they can offer the necessary building blocks. Another potential element of the solution is discussed by Dr. Jerry Brashear in this issue of The Risk Communicator. In his piece, Dr. Brashear discusses the Regional Resilience/Security Analysis Process developed through a recent pilot study funded by DHS' Science and Technology Directorate.

With a sound risk management construct in place, many elements of FEMA's current grant process could be easily aligned to support this approach. For example, the Target Capabilities List (TCL), or a successor, could provide the means for identifying gaps between existing capabilities and required capabilities. Likewise, strategic planning efforts, such as the State Hazard Mitigation Plans, State/Urban Area Homeland Security Strategies and Port-Wide Risk Management Plans, could provide the mechanism for addressing the identified capability gaps through defined goals, objectives and implementation steps. Implementing such an approach as a collaboration between FEMA and its state, local and private-sector partners could in turn allow for new efficiencies in the grant application and reporting process. For example, the ability to fund standardized and approved plans, backed by rigorous monitoring and exercise programs, should provide the confidence needed to eliminate a host of burdensome reporting requirements. In addition to these efficiencies, stakeholders at all levels of the process would benefit from the ability to apply common, repeatable and transparent metrics. One such measurement enabled by use of this new risk management construct would be the ability to gauge program impact as a function of risk reduction and risk reduction return on investment (ROI). Adopting such an outcomes-based approach would:

• Help ensure that the focus remains on building capabilities where they are needed;
• Allow states and localities to prioritize investments more effectively by understanding how much risk reduction could be achieved through investment in a particular capability; and
• Provide federal officials with the basis for measuring and articulating the overall effectiveness of the grants in reducing risk to the nation.

The effectiveness of these investments could also be further tested through the Homeland Security Exercise and Evaluation Program (HSEEP). HSEEP-compliant exercises would provide additional confidence that the solutions implemented are in fact having their intended impact. Coupled with effective programmatic monitoring, this feedback would also support the iterative application of subsequent grant rounds to ensure that these funds continued to: 1) target the most pressing risks; and 2) do so in the most efficient and effective manner possible.

Solving this challenge is only one part of a bigger problem, however. You may recall that SARMA honored David M. Walker, the former Comptroller General of the United States, with its prestigious Excellence in Public Service Award this past year. Since leaving public service, Mr. Walker has continued to contribute to the national debate on the impact of public debt, the need for fiscal discipline and the tools required to more effectively manage taxpayer dollars. His organization, the Comeback America Initiative, is sponsoring a quiz to test the public's knowledge of fiscal facts and views about potential solutions. I took the opportunity to participate at http://www.fiscaliq.net, and encourage you to do the same.

No matter our personal political views, I think we can all agree that public sector budgets will continue to shrink in the years ahead, and that we therefore must spend scarce security dollars in the most informed and meaningful way possible. SARMA stands ready to assist as a non-partisan source of advice and information on risk management tools and techniques to those working to shape sound security policies in this challenging environment.

Wishing you all the best for the New Year,

Kerry

Kerry L. Thomas

President

SARMA Announces Advisory Council Inaugural Luncheon & Awards Ceremony

To mark its fifth year serving the security risk management community, SARMA is holding an Inaugural Luncheon for its new Advisory Council on February 2, 2012 at the Cosmos Club in Washington DC. The luncheon will bring together SARMA leaders, supporters and other Advisory Council members. The Advisory Council provides SARMA Executive Officers, Board members and management with a source of advice and strategic counsel from prominent industry, government and academic leaders who are knowledgeable in security-related areas.

SARMA will also use the opportunity of the luncheon to present its Excellence in Public Service Award in recognition of an individual who has strongly and consistently championed security risk management principles and practices in government, and whose actions have had an important impact on the way security risk management is implemented in the public sector. The award will be presented to the Honorable David M. Walker, former Comptroller General of the United States, for his seminal role in elevating the use of risk management principles as a tool both for guiding the nation's investments in homeland security and for evaluating their effectiveness. Several other awards will also be announced at the luncheon.

The luncheon is open to SARMA Board Members, Corporate Patrons (Silver level and above) and Advisory Council members. For more information on the luncheon, contact Laura Johnson, Director, Conference & Events at [email protected].

Click here to join SARMA as one of our growing number of dedicated members, or contact Paula Copperthite, Director of Membership and Outreach, at [email protected] for more information.

National Preparedness Starts With

Regional Resilience & Security Analysis

by Jerry P. Brashear, PhD

The Scale Of Preparedness 

At the core of preparedness to cope with major disruptions -- resilience and security -- are critical infrastructures, core public health and safety services and the economic base. Dependencies within and between infrastructure systems, public services, business and economic sectors can allow potentially limited disruptions to cascade into major regional calamities.

Dealing with these contingencies and dependencies requires a uniquely metropolitan regional approach. National and multi-state infrastructures converge on metropolitan regions, local and metropolitan infrastructures and the vital services that depend on them interact in their most immediate and complex ways in metro regions. And metro areas are where the majority of people live and work, so that is where the greatest consequences of disruptions occur. While sector-specific and "top-down" national risk management programs can contribute to overall preparedness, the integration essential to address specific risks, potential service outages and dependencies requires a metropolitan approach.

Growing Federal Attention 

These observations have given rise to continuing and growing attention by the U.S. Department of Homeland Security, state and local agencies, as well as by private utilities and enterprises and non-governmental civic organizations to regional preparedness, resilience and security.

Most recently at the national level, Presidential Policy Directive 8 (PPD-8) has launched an "all-of-Nation" program to enhance the preparedness (defined as security and resilience) of whole regional communities to cope with disruptions of all kinds. The Federal Emergency Management Agency, designated to lead this initiative, has issued a National Preparedness Goal and an abstract description of a National Preparedness System, which lay out a series of capabilities and broad processes for establishing them at multiple levels. The program has not, however, defined a specific analytic process that would support risk-based decision-making to allocate resources to resilience and security capabilities on a metropolitan scale.

The DHS National Protection and Programs Directorate (NPPD) is reorganizing, including a new Deputy Under-Secretary position and a new office for risk modeling and analysis, but no programmatic directions have been announced so far. The NPPD's Office of Infrastructure Protection has conducted a series of pilot-scale projects using diverse analytical tools and varying definitions of "region" collectively described as a Regional Resilience Analysis Program, but without converging on a common analytical process for assessing risk and resilience or allocating resources to specific options to advance security and resilience.

The DHS Science & Technology Directorate, however, recognized that what is needed is an objective, quantitative business process for identifying and evaluating ways that metropolitan regions and their constituent organizations can enhance their security and resilience within available financial and human resources. Its Infrastructure & Geophysical Division has sponsored a field-based research, development and demonstration project expressly targeted at meeting the analytic requirements to support local, metropolitan, state and private-sector resource allocation decisions to advance value, resilience and security objectives. This process could support either or both Preparedness and Regional Resilience programs and contribute to optimizing federal resource allocations in the process. This report summarizes the interim results of this project.

Design Objectives 

Basic design objectives for the needed business process have been defined based on work in several regions (National Capital Region, Nashville-Davidson County, Hampton Roads, Virginia) with regional leaders, managers and operations personnel of critical infrastructure systems, core community services, and key elements of the business base. The needed risk/resilience analysis process must:

• Be technically sound, quantitative, objective, and repeatable
• Estimate loss (for risk) and service outage (for resilience) in terms and methods directly comparable across sites and sectors
• Make these estimates to both the owners of the individual systems and the public of the regional community it serves, respectively, to gauge the benefits and costs to each of inaction and options
• Produce expected (i.e., probability-weighted) values of losses and outages that incorporate the likelihood of unwanted events and the vulnerability to them, as well as their consequences
• Estimate benefits and costs in terms that can be directly compared to the evaluations of unrelated investment options with which they must compete in budgetary and grant allocation decision-making
• Include the effects of dependencies and interdependencies explicitly
• Be directly usable in capital and operating budget-making decisions of local, state and business organizations -- and possibly federal competitive grant programs
• Be capable of being carried out and maintained by on-site state or metropolitan, non-specialized, non-expert staff
• Permit re-analysis over time to measure progress and to establish accountability, and
• Be maintained and updated regularly, improving the quality and scope of the region's analysis over time

The Regional Resilience/Security Analysis Process (RR/SAP) has been developed from first-hand experience in 10 infrastructure sectors and subsectors, three national standards, four regions ranging in population from tens of thousands to several million, and numerous regional disasters. The feasibility of its components has been tested at all these levels and has proven practical, reliable and useful for supporting difficult public and private decisions. In its integrated from, RR/SAP has completed the first round of integrated, field-based spiral development.

RR/SAP consists of two cycles: (a) a risk/resilience assessment cycle to identify the most important risk and resilience challenges, followed by (b) an option evaluation cycle to gauge the value of specific options for enhancing resilience and security. For the region and each system and selected facility, the risk/resilience assessment cycle builds in six phases:

1. Decision-Makers' Objectives & Priorities: Decision-makers define and rank their objectives, criteria and priorities for resilience, continuity and security, and define the metrics for evaluating options and measuring progress.

2. Facility/Asset Analysis: Key facilities and their assets are priority-screened and undergo an in-depth risk/resilience analysis according to an American National Standard process that estimates the owners' static risks and resilience levels based on a common set of threats.

3. Service Delivery Systems Analysis: Service delivery systems operating under current control systems are modeled to refine the owners' estimates in a dynamic analysis and identify specific geographical locations of outages.

4. System-of-Systems Analysis: Dependencies among the systems are analyzed to determine where one system's difficulties impact other systems' operations, quantifying direct dependency risks and resilience levels for other owners and for the region as a whole.

5. Regional Economic Analysis: Outages estimated above are analyzed using a regional economic model to estimate the total economic impact on each industry sector, the region, state and, possibly, the nation.

6. Decision-Makers' Choices & Plans: Decision-makers review the results, select and rank areas for improvement, and direct further analysis in the option evaluation cycle.

Where security and/or resilience are unacceptable to the leaders, the option evaluation cycle defines improvement options: new projects, programs and/or investments to enhance capabilities, value, resilience and security. It then revisits each phase of the analysis cycle to define precisely how and by how much the options would improve resilience and security; what they will cost; and which would be the most valuable to the owners of the respective systems and to the region's citizens, respectively. Decision-makers review these evaluations to determine which (if any) will be included in their budgets and plans based on their net benefits and benefit/cost ratios.

At higher levels of government, competitive grants could be allocated in a similar decision process, and formula grants could require such analyses in support of their proposed plans and performance evaluations. For all levels, progress and accountability could be measured using the same criteria used in option selection, which would specifically address Congressional criticisms of DHS programs' lack of progress metrics.

The RR/SAP meets all the design criteria set for it. It does, however, require additional refinement and field-testing before it is ready for full-scale implementation.

The Outcome 

In the U.S., metropolitan governments are rare, but most such regions lie wholly or predominantly in a single state. State emergency management and homeland security agencies already have missions compatible with the application of RR/SAP and working relationships with their federal counterparts, suggesting a national-state-regional-local implementation approach.

The outcome of widespread use of this business process will be rational public-private collaboration toward regional-preference, analysis-based priorities and investments that make regional infrastructure systems, community facilities and preparedness capabilities more resilient, secure and reliable -- and, in aggregate, a more resilient, secure nation -- to the benefit of all its citizens, businesses and society as a whole.

Jerry P. Brashear, PhD, is an independent consultant in risk and resilience analytic methods as applied to project, portfolio and enterprise risk management in industry and governments at all levels. As Senior Fellow at the American Society of Mechanical Engineers' R&D institute, he led projects to develop and adapt an all-quantitative, all-hazards risk/resilience analysis process for process industries, an American National Standard for water and wastewater systems, a feasibility study of adapting financial portfolio methods to infrastructure investments, and two major projects to develop security/resilience methods for metropolitan regions.   

NIAC: Intelligence Information Sharing

A new report from the National Infrastructure Advisory Council examines "whether the right people are receiving the right intelligence information at the right time to support robust protection and resilience of the Nation's critical infrastructure."

NTI: Nuclear Materials Security Index

A new report and index from the Nuclear Threat Initiative "assesses the contribution of 32 states with one kilogram or more of weapons-usable nuclear materials toward improved global nuclear materials security conditions, using five categories: (a) Quantities and Sites, (b) Security and Control Measures, (c) Global Norms, (d) Domestic Commitments and Capacity, and (e) Societal Factors."

GAO: Border Security: Additional Steps Needed to Ensure That Officers Are Fully Trained

A new report from the Government Accountability Office takes a close look at the training of Customs & Border Patrol agents and recomends that "the CBP Commissioner evaluate the 'Back to Basics' training course; analyze covert test results; establish a policy for training responsibilities, including oversight of training records; and, conduct a training needs assessment."